b'                                          Report No. AUD-08-013                                          August 2008\n\n                                          Controls for Protecting the Confidentiality of\n                                          Sensitive Email Communications\n  Federal Deposit Insurance Corporation\n\n\nWhy We Did The Audit                      Audit Results\n\nThe FDIC Office of Inspector              KPMG found that the FDIC had a number of key controls in place to\nGeneral (OIG) contracted with             protect the confidentiality of sensitive email communications. Such\nKPMG LLP (KPMG) to audit and              controls include, for example, a corporate policy governing the encryption\nreport on the FDIC\xe2\x80\x99s controls over        of sensitive email communications; an enterprise-wide email encryption\nthe confidentiality of sensitive email    solution; background checks and confidentiality agreements for\ncommunications. The results of this       administrators supporting the email infrastructure; and a security\naudit will support the OIG in             awareness and training program addressing, among other things, the\nfulfilling its evaluation and reporting   protection of sensitive email communications. DIT was also working to\nresponsibilities under the Federal        implement a number of additional email security control improvements\nInformation Security Management\n                                          during the audit.\nAct of 2002.\n\nThe objective of the audit was to         While such actions were positive, controls over administrator access to\nassess the FDIC\xe2\x80\x99s controls for            the email infrastructure needed to be strengthened. In addition, KPMG\nprotecting the confidentiality of         identified several potential control enhancements intended to further\nsensitive email communications and        mitigate the risk of email exposure at the FDIC that DIT should assess for\nto identify opportunities for             implementation.\nmitigating risk where appropriate.\n\n                                          Recommendations and Management Response\nBackground\n                                          KPMG recommended that the Director, DIT, strengthen controls over\nThe FDIC uses email extensively,          administrator access to the email infrastructure and assess potential\ninternally and externally, to             controls enhancements identified during the audit. The FDIC concurred\nexchange business information such        with both recommendations, and its planned actions are responsive to the\nas open bank data, contract\n                                          recommendations.\nnegotiations, personnel data, and\nlegal matters. Protecting the\nconfidentiality of sensitive email        Because this report addresses issues associated with information security,\ncommunications requires a                 we do not intend to make public release of the specific contents of the\ncomprehensive set of security             report.\ncontrols and sustained vigilance to\naddress current and emerging\nsecurity threats.\n\nThe FDIC\xe2\x80\x99s Division of Information\nTechnology (DIT) has overall\nresponsibility for providing email\nservice to the Corporation and for\nmaintaining the FDIC\xe2\x80\x99s email\ninfrastructure. The FDIC\xe2\x80\x99s email\ninfrastructure requires\nadministrators (trusted individuals)\nto perform necessary maintenance.\nBecause of the nature of their duties,\nadministrators have the ability to\naccess the unencrypted email\ncommunications of others.\n\x0c'